I am reading the OWASP XSS prevention cheat sheet and got stuck in understanding something:
Why Can't I Just HTML Entity Encode Untrusted Data
HTML entity encoding is okay for untrusted data that you put in the body of the HTML document, such as inside a
<div>
tag. It even sort of works for untrusted data that goes into attributes, particularly if you're religious about using quotes around your attributes. But HTML entity encoding doesn't work if you're putting untrusted data inside a<script>
tag anywhere, or an event handler attribute like onmouseover, or inside CSS, or in a URL. So even if you use an HTML entity encoding method everywhere, you are still most likely vulnerable to XSS. You MUST use the encode syntax for the part of the HTML document you're putting untrusted data into. That's what the rules below are all about.
I'm not able to create a working POC, how an html encoded xss attack vector can trigger xss inside the <script>
tag
Help me to understand this.
HTML encoding refers to replacing
<
with<
,>
with>
, and&
with&
(among other replacements). What the paragraph is saying is that this does stop XSS inside a normal tag, for example if you try to inject<script>alert(1)</script>
into ap
tag, you get:which doesn't do anything. However, if the XSS vector goes inside a script tag instead of a p tag, then you can just enter
alert(1)
and it ends up as:which causes XSS.